It makes me sad to have to report that this morning I took down the Secure Password Reset campaign from this site.
The idea behind the campaign is still as sound as ever. We need to convince companies that using personal information as an authenticator is never a good idea and the practice must be ended. This is especially dangerous when it’s used in password reset scenarios. The only way to protect a credential is to protect it with another credential that’s equally strong.
But after three months, I was able to devote virtually no time to keeping the campaign going. I did manage to get one company assessment done, but did not get a chance to make any follow up calls to the company.
The bottom line is that I still believe it’s a good idea, but I just don’t have enough hours in the day to keep it up. Thanks to everyone who signed up to support the campaign. Keep advocating for change wherever you can.